pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-imperative-containers">
6
7<title>Imperative Container Management</title>
8
9<para>We’ll cover imperative container management using
10<command>nixos-container</command> first.
11Be aware that container management is currently only possible
12as <literal>root</literal>.</para>
13
14<para>You create a container with
15identifier <literal>foo</literal> as follows:
16
17<screen>
18# nixos-container create foo
19</screen>
20
21This creates the container’s root directory in
22<filename>/var/lib/containers/foo</filename> and a small configuration
23file in <filename>/etc/containers/foo.conf</filename>. It also builds
24the container’s initial system configuration and stores it in
25<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You
26can modify the initial configuration of the container on the command
27line. For instance, to create a container that has
28<command>sshd</command> running, with the given public key for
29<literal>root</literal>:
30
31<screen>
32# nixos-container create foo --config 'services.openssh.enable = true; \
33 users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
34</screen>
35
36</para>
37
38<para>Creating a container does not start it. To start the container,
39run:
40
41<screen>
42# nixos-container start foo
43</screen>
44
45This command will return as soon as the container has booted and has
46reached <literal>multi-user.target</literal>. On the host, the
47container runs within a systemd unit called
48<literal>container@<replaceable>container-name</replaceable>.service</literal>.
49Thus, if something went wrong, you can get status info using
50<command>systemctl</command>:
51
52<screen>
53# systemctl status container@foo
54</screen>
55
56</para>
57
58<para>If the container has started succesfully, you can log in as
59root using the <command>root-login</command> operation:
60
61<screen>
62# nixos-container root-login foo
63[root@foo:~]#
64</screen>
65
66Note that only root on the host can do this (since there is no
67authentication). You can also get a regular login prompt using the
68<command>login</command> operation, which is available to all users on
69the host:
70
71<screen>
72# nixos-container login foo
73foo login: alice
74Password: ***
75</screen>
76
77With <command>nixos-container run</command>, you can execute arbitrary
78commands in the container:
79
80<screen>
81# nixos-container run foo -- uname -a
82Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
83</screen>
84
85</para>
86
87<para>There are several ways to change the configuration of the
88container. First, on the host, you can edit
89<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>,
90and run
91
92<screen>
93# nixos-container update foo
94</screen>
95
96This will build and activate the new configuration. You can also
97specify a new configuration on the command line:
98
99<screen>
100# nixos-container update foo --config 'services.httpd.enable = true; \
101 services.httpd.adminAddr = "foo@example.org";'
102
103# curl http://$(nixos-container show-ip foo)/
104<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
105</screen>
106
107However, note that this will overwrite the container’s
108<filename>/etc/nixos/configuration.nix</filename>.</para>
109
110<para>Alternatively, you can change the configuration from within the
111container itself by running <command>nixos-rebuild switch</command>
112inside the container. Note that the container by default does not have
113a copy of the NixOS channel, so you should run <command>nix-channel
114--update</command> first.</para>
115
116<para>Containers can be stopped and started using
117<literal>nixos-container stop</literal> and <literal>nixos-container
118start</literal>, respectively, or by using
119<command>systemctl</command> on the container’s service unit. To
120destroy a container, including its file system, do
121
122<screen>
123# nixos-container destroy foo
124</screen>
125
126</para>
127
128</section>